In brief ⚡
😮Alphapo, a company handling crypto payments for HypeDrop, Bovada, Ignition, and other gambling services, lost around $60 million in Ethereum, Tron, and Bitcoin. The funds were taken from their hot wallets in a recent security breach.
🔒 Palmswap Loses $900K to Price Manipulation Exploit Due to Liquidity Calculation Error
😱 DeFi Platform Eralend on zkSync Hit by $3.2M Attack Due to Vulnerability in SyncSwap Code
🏉 Carson DeFi Token Exploited: Flash Loan Attack Results in ~$14.4K Profit
😬CoinsPaid Crypto Payment Platform Hacked for $43.8M, Suspected Involvement of Lazarus Group
🤦DeFi Platform DefiLabs Loses $1.4M in Rug Pull Exploit on BNB Chain
Hacks and Scams⚠️
AlphaPo
Amount of Loss: ~ $60 Million
Analysis
Crypto payments processor AlphaPo, serving gambling platforms like HypeDrop, experienced a staggering $60 million loss across Ethereum, Tron, and Bitcoin over the weekend.
The initially reported figure was $23 million, but an additional $37 million was later traced and added to the total.
HypeDrop, a platform relying on AlphaPo, suspended deposits but assured users that withdrawals would be honoured without mentioning the hack.
The attack is believed to be the work of Lazarus, a state-sponsored cybercriminal group known for its distinct on-chain fingerprint and sophisticated phishing techniques.
The attack targeted AlphaPo's hot wallet (alphapo.eth) on Ethereum, resulting in the theft of 2464 ETH and various other coins, including over 6 million USDT.
The hacker's activities on-chain and the wallets involved showed significant correlations with patterns associated with the Lazarus group, linking them to previous attacks on Atomic Wallet and possibly Coinspaid.
PalmSwap
Amount of Loss ~ $900k
Analysis
On July 25th, 2023, Palmswap, a decentralized leverage trading platform on the Binance Smart Chain, suffered an attack resulting in the theft of around $900,000.
The exploit was enabled by a price manipulation vulnerability arising from mishandling liquidity calculations between USDP (Palm USD) and PLP (Palm LP) tokens.
The attacker executed a series of transactions, including flash loans and manipulating exchange rates, to inflate the price of PLP and profit from the exploit.
The attacker's actions allowed them to remove liquidity from the pool at an artificially inflated exchange rate, leading to significant theft.
Eralend
Amount of Loss ~ $3.2 Million
Analysis
Eralend on zkSync suffered a $3.2 million attack due to a discrepancy between the calculated borrow and liquidate values.
The attacker exploited a reentrancy vulnerability in the SyncSwap code, allowing them to manipulate prices and profit from the process.
By calling SyncSwap's burn function to burn their LP tokens and simultaneously borrowing ctokens in the reentrancy, the attacker gained an advantage using outdated reserves for calculations.
After the reentrancy ended, the reserves were updated, enabling the attacker to repay the loan with fewer tokens than borrowed, resulting in significant profit.
Multiple contract exploits were executed repeatedly by the attacker to obtain a substantial amount of USDC.
Carson
Amount of Loss ~ $14k
Analysis
Carson, a DeFi token, fell victim to an exploit via a transaction on the Binance Smart Chain.
The attacker leveraged the swapExactTokensForTokensSupportingFeeOnTransferTokens function through flash loans in a contract (not open-source).
The attacker acquired approximately 600 BNB (equivalent to ~$14.4k) and converted them to BUSD using the exploit.
Additionally, the attacker manipulated the price of Carson by repeatedly burning the token in the pair, leading to significant profits.
CoinsPaid
Amount of Loss ~ $ 43.8 Million
Analysis
CoinsPaid, a crypto payment platform serving online casinos, suspended withdrawals under mysterious circumstances and later attributed it to a "technical issue."
After a tweet from Bitcoiner Jameson Lopp suggesting a possible hack, CoinsPaid responded that their team was aware of the issue and would provide an official announcement.
Crypto researchers referenced suspicions that the Lazarus Group could be involved in the hack.
Subsequently CoinsPaid subsequently confirmed a $43.8 million hack and implicated the Lazarus Group as the likely perpetrator.
Speculations arose regarding potential connections between this incident and the $60 million hack of Alphapo, another crypto payment processor serving online casinos. Some believe the same individuals might operate both platforms.
The situation has raised concerns about the security of crypto payment processors catering to gambling services.
DefiLabs
Amount of Loss ~ $ 1.4 Million
Analysis
DefiLabs, operating on the BNB Chain, experienced a rug pull resulting in an approximately $1.4 million loss.
The exploit involved the privileged address directly withdrawing 1,427,200 BSC-USD staked in the vPoolv6 contract using the backdoor function withdrawFunds().
The rug pull exposed vulnerabilities in the platform's smart contract and allowed the attacker to make off with significant funds.
The incident raised concerns about the security of DeFi protocols on the BNB Chain and the potential risks associated with privileged addresses.
DefiLabs users who had staked their funds in the vPoolv6 contract faced substantial losses due to the exploit.
The exploit severely impacted the platform's reputation and trustworthiness, highlighting the importance of thorough security audits in the DeFi space.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
10 protocols from which you can gain a wealth of knowledge
This article discusses ten prominent DeFi protocols that offer valuable learning opportunities for developers. It covers various aspects such as decentralized exchanges (Uniswap V3), NFT marketplaces (Seaport), token streaming (Llamapay), and NFT lending (Llamalend). Additionally, it explores protocols focusing on reserve currencies (OlympusDAO), multisig wallets (Safe), on-chain social features (Lens Protocol), vaults and staking (Yearn), liquid staking (Lido), and the diamond pattern (Dark Forest). The article encourages readers to explore these resources to enhance their knowledge and skills in the DeFi space.
Decoding Palmswap’s $900k Exploit
On the 25th of July 2023, the Palmswap on the Binance Smart Chain was attacked. The attack was made possible by a Price Manipulation vulnerability. And around $900k was stolen by the exploiter from the exploit.
Web3 Community Spotlight🔦
We are proud to announce that we are Community Partners at @token2049!
Token2049 is the premier crypto event, organized annually in Singapore. Book your tickets to Marina Bay Sands for September 13–14, 2023, to attend the biggest event in the world
Our Testimonials 🙂
QuillCTF has been an impressive regularly updated CTF challenge platform. The platform's engaging challenges and realistic scenario give participants an opportunity to hone their web3 security skills. I highly recommend QuillCTF to anyone looking to improve their web3 security skills in a fun and challenging environment.
~ SunSec
"Playing QuillCTFs would be a good first resource to get into blockchain security for those looking to get into smart contract auditing"
~ Curta Ctf Founder
Hi, I'm not good at writing testimonial, this is my thought
Beyond the points, lies the growth, some challenges really pushed me to learn new things, those nights have now become knowledge and great memories, inspiring me to continue exploring the blockchain security. Thank to Quill for organizing this incredible and everyone who contributed, you are awesome, see you in the next season
~ aj3423
I was late in discovering QuillCTFs, but I quickly realized that I love it! It's been a great experience just spending a few hours every week learning from the well-designed small contracts with vulnerabilities prepared by the authors. Moreover, it allows me to practice writing foundry tests at the same time :)
~ Y4nhu1
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.